Giving the voter a paper record of the ballot is a step toward voter empowerment, because it contains a digital signature that proves that it was legitimately cast. This record does not violate the secrecy of the vote – it remains the decision of the voter alone whether to disclose how she or he voted. But possession of the paper record of the ballot does permit the voter to take ownership of their own vote in a qualitatively new way – namely, by assuring that it was not tampered with after it was cast. The right to vote is meaningless unless it is backed by the right to guarantee that the vote is properly counted.

It sounds like a great idea—control your own privacy!—but where voting is concerned, it’s not. The Secret Ballot is not Optional. If it were, the election would be coercible. Consider a “friendly office bulletin board” where co-workers are gently encouraged to post their ballot for all to see. Or the same thing at your local church/synagogue/mosque. Or at the union offices. Sure, you don’t have to post your ballot there. But if you don’t, well… it’s pretty clear that you didn’t vote “as expected.”

The Secret Ballot is meant to protect voters from undue influence because individual voters are not expected to be capable of truly protecting themselves. That’s why a voting system must preserve ballot secrecy, even against the wishes of the voters themselves. And that’s one of the many reasons why building a secure voting system is difficult.

In cryptographic voting systems, voters get a receipt of their vote, but the content of the vote on this receipt is encrypted. Thus, vote selling is prevented, but voters still get to verify that their ballot made it into the tally: simply check the voting web site for your encrypted ballot. A separate mechanism allows voters to determine, while they’re in the voting booth, that this encrypted vote really does correspond to their selection. More on that in a later post.

Ben,
Your statement that “a voting system must preserve ballot secrecy, even against the wishes of the voters themselves,” invites a more precise consideration of the meaning of ballot secrecy.
To begin with, I’d like to make two rather obvious points:
1. The voter knows how she voted. I would call this the First Principle of Voting. It is true in both secret and open ballot systems. It is desirable to use this knowledge to protect the integrity of the system and to enhance voter confidence in the integrity of the system.
2. The voter has the right to refuse to disclose how she voted, to disclose how she voted, or to lie about how she voted. Call this the Second Principle of Voting. This right is an essential part of political freedom and it must be protected by law and custom. It cannot be guaranteed by technology or by election procedure. I assume that you do not mean to reject this right when you say that “a voting system must preserve ballot secrecy, even against the wishes of the voters.”
A good voting system precludes the disclosure of a voter’s election choices except by the action of the voter, but it cannot prevent social pressure to disclose (or to not disclose).
Let’s adopt your test example of a coercive atmosphere created by the “friendly office bulletin board.”
Say that Veronica lives in a precinct that is overwhelmingly forest-friendly, and that she herself belongs to the Forest Fanatic Society. Nevertheless, for reasons that seem good and sufficient to her, she votes for Joe Logger for chief forest ranger.Scenario A: Community pressure. Suppose that no voter receipts have been issued. The Forest Fanatics ask each of their members to state publicly that they voted against Joe Logger. Veronica has three choices: she may refuse to make any statement about her vote, she may disclose it or she may lie about it. Now suppose that the VOICEVote system is in effect, and that Veronica has been issued a voter receipt and that all ballots have been posted on the Internet. If the Forest Fanatics ask all their members to post their ballots on the community bulletin board, Veronica has exactly the same three options: she may refuse to post any ballot, or she may post the receipt for her vote, or she may download a ballot from the Internet that was cast against Joe Logger and post it. There is nothing to distinguish a downloaded ballot from one distributed at the polling place, and nothing to indicate the identity of the voter on any ballot. Therefore, Victoria’s posted ballot no more proves how she voted than a verbal statement. Since it would be common knowledge that anyone could download any ballot, the entire practice of exerting social pressure in this way would be discouraged.Scenario B: Stolen vote. Suppose that the pro-forest sentiment in this jurisdiction is so strong that the precinct election judges and the Democratic and Republican poll watchers collaborate to discard Victoria’s vote for Joe Logger. In the VOICEVote system, Victoria can prove that her vote has been discarded by producing her digitally signed ballot, and trigger an audit of the election, which would be performed using the printed paper ballots. What’s more, she can accomplish this anonymously by sending her signed vote receipt to a vote integrity organization — say, the Center for Election Responsibility and Trust (CERT). The vote receipt in the hands of CERT has the same power to challenge the theft of Victoria’s vote as in has in Victoria’s hands. In this sense, the VOICEVote system greatly enhances the secrecy of the ballot: it allows a voter whose vote has been stolen to effectively challenge the theft without disclosing her identity.Scenario C: Suspicion of stolen votes. Suppose that no votes are actually altered or discarded, but Victoria, knowing the strength of pro-forest sentiment, is suspicious that election fraud has occurred. Under the VOICEVote system, her suspicion is dispelled by the fact that she can confirm that her own vote for Joe Logger was properly recorded and by the knowledge that every other voter can likewise check their own vote and can anonymously challenge any instance of vote tampering.
We have designed the VOICEVote protocol with the dual objectives of securing elections against tampering and of giving the public confidence in the integrity of the system. We believe that the combination of well-established cryptography with simplicity, transparency and direct involvement of the public, including in the post-voting phase, is the best means of achieving these goals.